I am trying to create an admin role/user in PostgreSQL which should fulfil the following requirements:
Should be able to do backup for the particular database (and not
others)
Should be able to create usernames which can access the
particular database (and not others).
Should be able to create/delete tables in the specific database and not other database
Should not be able to create other data bases.
This is what I have so far:
create role dba with nosuperuser createdb createrole nologin replication bypassrls;
grant usage on schema public to dba;
alter default privileges in schema public grant all on tables to dba;
alter default privileges in schema public grant all on sequences to dba;
grant connect on database myDatabase to dba;
grant usage on schema public to dba;
grant select on all tables in schema public to dba;
grant select on all sequences in schema public to dba;
grant all privileges on all tables in schema public to dba;
create user dba_user login inherit encrypted password 'password' in role dba;
Please advise how to modify the above code to fulfill the requirements.
To achieve that, perform the following modifications:
Transfer ownership of the database and all schemas and objects in it to the new user.
Give the user CREATEROLE.
Make sure to REVOKE CONNECT ON all databases FROM PUBLIC. Grant the new user the CONNECT privilege on the database in question.
Don't give the new user any permissions on other databases or objects therein.
Related
what's the recommended way to provide readonly access to all databases in postgresql version 12.
I am using this found at How do you create a read-only user in PostgreSQL?
CREATE ROLE readaccess;
CREATE USER my_user_test WITH PASSWORD 'my_user_test';
GRANT readaccess TO my_user_test;
\c database_name;
-- need to connect to the database first on which we need to execute the below commands
GRANT CONNECT ON DATABASE database_name TO readaccess;
GRANT USAGE ON SCHEMA public TO readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
-- Assign permissions to read all newly tables created in the future
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
But using this approach I need to individually connect to each database and provide the role read only access.
Is there a better approach to provide a read only access all existing databases at once?
Thanks.
We have an existing postgres database in production with a superuser adm that is being used to do everything. Our web application connects to the database using the same user and also the administrators(for patching/updating etc.) use the same credentials.
We have to fix this to have roles so that we can have read-write, readonly and admin roles.
We don't want our web application and admin to connect to the database as superuser.
With that being said, I have created the following sql script to make the appropriate roles.
I am not a database expert(not yet) so wanted to know the issues or better ways to solve this.
ALTER ROLE adm NOLOGIN;
CREATE role user_role NOINHERIT;
CREATE role readonlyuser_role NOINHERIT;
CREATE role admin_role CREATEDB CREATEROLE NOINHERIT;
CREATE ROLE u_service LOGIN PASSWORD '<some password>' INHERIT;
CREATE ROLE u_admin LOGIN PASSWORD '<some password>' INHERIT;
CREATE ROLE u_reader LOGIN PASSWORD '<some password>' INHERIT;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonlyuser_role;
GRANT ALL PRIVILEGES ON SCHEMA public TO admin_role;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA public TO user_role, admin_role;
GRANT ALL PRIVILEGES ON SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL PROCEDURES IN SCHEMA audit TO admin_role;
GRANT ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA audit TO admin_role;
GRANT admin_role TO u_admin;
GRANT user_role TO u_service;
GRANT readonlyuser_role TO u_reader;
A few things to consider.
Spell out what user_role and readonlyuser_role can do
Start by revoking all privileges from both these roles, then add them back only as needed. This makes it both clearer in your intentions about what the roles should do, and safer in practice because higher privileges than intended won't accidentally sneak in.
REVOKE ALL ON SCHEMA public FROM public; --only authorized roles can do anything here.
REVOKE ALL ON SCHEMA public FROM user_role;
REVOKE ALL ON SCHEMA public FROM readonlyuser_role;
GRANT ...
The Database Owner is a local Superuser
We usually make the db owner an additional role; one who only logs in to create or alter the schema, then gracefully exits. If your admin_role does more than this, consider adding an owner_role.
Does a public role need to connect?
Consider adding
REVOKE CONNECT ON DATABASE yourdb FROM public;
This blocks the loophole where any role created on the same DB server could log into this database.
Do all this in a transaction block
Stopping privilege assignment half-way through the job can lead to all sorts of trouble, much akin to locking your keys in your car. Make the privilege assignments a single transaction where possible, so a missed semicolon doesn't lock you out.
I'm using CloudSQL Postgres 11 on GCP, and I've got a few questions around permissions and grants. I'm just not getting it at the moment, being very new to postgres.
I have a user, pgadmin which is a superuser. With this user I can connect to the instance and create a database called 'sandbox' for example.
I then have an app role which is defined as follows:
CREATE ROLE app;
GRANT CONNECT ON DATABASE <database name> TO app;
GRANT USAGE, CREATE ON SCHEMA public TO app;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO app;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO app;
I create a user called app_sandbox which I grant this role.
The app user then makes a db migration using flyway which creates 2 tables. That side of things is fine.
But with my superuser, pgadmin, I can't see these tables or query them even though this user owns the database and is a superuser. I've tried all sorts of grants. Feels like I'm missing something important because even if I true to create a readonly role with the pgadmin user I am unable to grant access to the underlying tables in the public schema of the database.
What am I missing?
Just because one user (=pgadmin) owns the database, does not mean that user also owns the tables created in that database. And because pgadmin doesn't own those tables, you can't access them when logged in as pgadmin
If the app user created the tables, they belong to that user, and only the app user can grant privileges on those tables to other users.
I am aware that similar questions have been asked before, but the answers do not appear to solve my problem, so I think a more complete answer would be valuable.
I would like to create a read-only user for a postgresql database. I have already granted access to the server for my user using the pg_hba.conf file.
As the postgres admin user, I have run the following commands:
CREATE ROLE read_only_user NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
GRANT CONNECT ON DATABASE the_database TO read_only_user;
GRANT USAGE ON SCHEMA public to read_only_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO read_only_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO read_only_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO read_only_user;
ALTER ROLE read_only_user WITH PASSWORD '*********************';
ALTER ROLE read_only_user VALID UNTIL 'infinity';
ALTER ROLE read_only_user WITH LOGIN;
ALTER USER read_only_user SET search_path = public;
As a result, I am able to log in to the the_database DB locally, and remotely using a DB client, with username and password authentication and I can list the tables in the database. However, any attempt to select or view the contents of the database results in
ERROR: permission denied for relation the_table
What other permissions are needed, since as far as I can tell, all the necessary permissions are granted.
I want to set a user which I can use remote, that for a database can:
do any rows operations
can't add new columns
can't delete/create database or tables
I don't want the user to have access to other databases
I executed:
GRANT ALL PRIVILEGES ON DATABASE "example" to user_name;
REVOKE CREATE ON DATABASE "example" FROM user_name;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO user_name;
The following fails:
REVOKE CREATE ALL TABLES IN SCHEMA public FROM user_name;
invalid privilege type CREATE for relation
Can you, please, add all necessary steps.
Also,:
some help to what to set in pg_admin drop, to import only data remotely.
In Ubuntu set/activate full search
You probably want to keep the user from crating tables in schema public.
For that, you must revoke the CREATE privilege on that schema which is by default granted to everybody:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
If you want to user to have permissions on tables that will be created in the future, consider using ALTER DEFAULT PRIVILEGES.